Wednesday, January 10, 2018

CryptoTokenKit.pivtoken (Panda)

I don't know anything about crypto currency; I know absolutely nothing about BitCoin, Ethereum, nor any of the rest.  In fact, those are the only two names I know.  But I found this script in my User/Containers folder and think it may either be some kind of mining script, or possibly some way of stealing cryptocurrency -- since it appears to be connected to an associated script which looks like it sends out Cloud Invitations.

This may be related to the Panda Network virus, as at least one other script was titled "Now Playing."  For whatever it's worth, it did not come from North Korea; it came from somewhere and someone domestically (US), and I believe it is part of the Sakula malware, a preferred methodology of the US military intelligence and "law enforcement" community (NSA, CIA, NSC, et. al.).

This came from the West Tennessee area.  

Here is the script in full:


bplist00‘ WVersion_SandboxProfileDataXIdentity_ SandboxProfileDataValidationInfo)OXE⁄∫πππz„∂
≥„
≠≠∞≥≤≥∂∑∏Ω√≈∆∆π„◊∆„flfifl≠ôÅfM1ÒŸ√≥úálVD0ˇÊ–π•í~iV@*˚Ë”á]K‚æéÜ
%
Fvolume. Goptical.ïDmountÇ
Funmount
Oexternal.unmountÇ
Premovable.unmount
CburnÇ
Hhdd.smart
\com.apple.trust-settings.user







Odev/dtracehelper



Judio/sounds@/Ä

EsoundsÜ@/Ä

Aco»nntainers/com.apple.cryptotokenkit.pivtoken/dataÜ@/Ä

Gmponents@/Ä

Hquicktime@/Ä

system/library/frameworks/cryptotokenkit.framework/plugins/pivtoken.appexÜ@/Ä

uprivate/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/b0/com.apple.cryptotokenkit.pivtokenÜ@/Ä

bt/com.apple.cryptotokenkit.pivtokenÜ@/Ä

bc/com.apple.cryptotokenkit.pivtoken@/Ä

.










_








uprivate/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/bc/com.apple.cryptotokenkit.pivtokenÜ@/Ä

bt/com.apple.cryptotokenkit.pivtokenÜ@/Ä

b0/com.apple.cryptotokenkit.pivtoken@/Ä

KdictionariesÜ@/Ä

IgpubundlesÜ@/Ä

Qcolorsync/profiles@/Ä

Gdev/ptmxÇ
AusB˛KdictionariesÜ@/Ä

Upreferences/com.apple.£Pmobileasset.plistÇ
Hgeo.plist
@cPaches/geoservicesÜ@/Ä

Golorsync@/Ä

E.trash@/Ä

Ar/CsbinÜ@/Ä

Bbin@/Ä

[network/library/dictionariesÜ@/Ä

CsbinÜ@/Ä

BbinÜ@/Ä

Nprivate/var/db/@dÆOatadetectors/sysÜ@/Ä

Petachedsignatures
Bmds@/Ä


m
}

Lemporaryitems@/Ä



Mlibrary/assetsÜ@/Ä

Yusers/USERNAME/library/assets@/Ä



˙⁄[application support/appstore‰i/content/com.apple.cryptotokenkit.pivtokenÜ@/Ä

hcontent/com.apple.cryptotokenkit.pivtoken@/Ä

@p¶

Jreferences/W.globalpreferences.plistÇ
Icom.apple.ÒUappleshareclient.plistÇ
Nhitoolbox.plistÇ
Ploginwindow.plistÇ
GsecurityÄ
\cryptotokenkit.pivtoken.plist
Qlogging/subsystemsÜ@/Ä

Ssystemconfiguration/^com.apple.powermanagement.plistÇ
Ppreferences.plist
rcaches/com.apple.diagnosticreporting.networks.plistÇ
Smanaged preferences/fcom.apple.cryptotokenkit.pivtoken.plistÇ
lUSERNAME/com.apple.cryptotokenkit.pivtoken.plist
HdeveloperÜ@/Ä

FvolumesÇ
Gprivate/◊
DhostsÇ
Qopenldap/ldap.confÇ
@pñDasswdÇ
Grotocols
Jresolv.confÇ
@sFervicesÇ
Bsl/Gcert.pemÇ
Jopenssl.cnf
Cvar/Nrun/resolv.confÇ
ifolders/3v/1vw69qk5609dwxnvvy5zxd440000gp/b0/com.apple.cryptotokenkit.pivtokenÜ@/Ä

bt/com.apple.cryptotokenkit.pivtokenÜ@/Ä

bc/com.apple.cryptotokenkit.pivtoken@/Ä

Eusers/0Mshared/sc infoÜ@/Ä

EUSERNAME/Glibrary/ÌBkey±Fchains/Ä
@bKoard layoutsÜ@/Ä

Findings@/Ä

@pçJreferences/jIcom.apple.1@s
L_common.plist
Xrvicesmenu.services.plist
Epeech.∑\synthesis.general.prefs.plistÇ
Pvoice.prefs.plist
Oystemsound.plist
@m∂Uultitouchsupport.plistÇ
Vediaaccessibility.plist
@lÆQookup.shared.plistÇ
Raunchservices.plist
Sinputmethodkit.plistÇ
Nhitoolbox.plistÇ
@d
Sbluetoothmultitouch.Mtrackpad.plistÇ
Jmouse.plist
Vownloadassessment.plistÇ
Victionaryservices.plist
Wtelephonyutilities.plistÇ
Tuniversalaccess.plistÇ
@a«[pplemultitouchtrackpad.plistÇ
Kirplay.plistÇ
Pvfoundation.plist
@cHmio.plistÇ
BoreNanimation.plistÇ
DmediaüE.plistÇ
Oio.support.plist
Jvideo.plist
Hpbs.plistÇ
W.globalpreferences.plist
Jdf services@/Ä

DquickôCtimeÜ@/Ä

Clook@/Ä

AcoÌBmpoùDnentsÜ@/Ä

Fsitions@/Ä

nntainers/com.apple.cryptotokenkit.pivtoken/dataÜ@/Ä

Ilorpickers@/Ä

@a…CudioÜ@/Ä

spplication scripts/com.apple.cryptotokenkit.pivtoken@/Ä

EsoundsÜ@/Ä

Linput methodsÜ@/Ä

@fContsÜ@/Ä

Eilters@/Ä

R.cfusertextencoding
system/library/frameworks/cryptotokenkit.framework/plugins/pivtoken.appex@/Ä


É
u
ä
Å
ç
â
w
Ö
y
w
≠
ë
ãπ
£
ã∏
±
}
o
ã
Ö
ï
Y
è∑
è
ß
ê
ã
Å∏
±
…ππ
ß∆∆
ø∏≤
®
y
É
y

Esystem@/Ä



@/Ä

JpreferencesÜ@/Ä

Rmanaged preferencesÜ@/Ä

ClogsÜ@/Ä

Ecaches@/Ä

ê
Lmaster.passwd
Cdev/ÀKdtracehelperÇ
FurandomÇ
ErandomÇ
Lautofs_nowaitÇ
CzeroÇ
Cnull
Flibrary@/Ä



Blib@/Ä

Glibrary/ºWfilesystems/netfspluginsÜ@/Ä

Rpreferences/logging@/Ä

Nprivate/var/db/ùGtimezoneÜ@/Ä

Cdyld@/Ä

Esystem@/Ä





NfontcollectionsÜ@/Ä

Gspelling@/Ä


C/tty


Qusers/USERNAME/.trash@/Ä



Erashes@/Ä



uprivate/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/cc/com.apple.cryptotokenkit.pivtoken/Ä
ct/com.apple.cryptotokenkit.pivtoken/
˙wontainers/com.apple.cryptotokenkit.pivtoken/data/library≥@/≠PsyncedpreferencesÜ@/Ä

Jpreferences@/Ä


Galendars
Cmailí
A/v@3Ç
@2
Jpreferences

@míCusicÇ
Dovies
@d•EesktopÇ
@oFwnloadsÇ
Fcuments
Gpictures
˛
uprivate/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/bc/com.apple.cryptotokenkit.pivtokenÇ
b0/com.apple.cryptotokenkit.pivtokenÇ
bt/com.apple.cryptotokenkit.pivtoken



KdtracehelperÇ
CzeroÇ
Cnull

L_common.plist

˘
Î

@S©MNBFBUserClientÇ
QATLSMARTUserClient
PIntelMEUserClientÇ
GGraphics¢KPolicyClientÇ
LControlClient
UMGPUPowerControlClient
GudioAUUCÇ
HGPMClientÇ
PTASMARTUserClientÇ
QHCISMARTUserClient
AIO.
OEngineUserClient
TccelerationUserClient
QHIDParamUserClientÇ
FSurface†HSendRightÇ
MRootUserClient
ZFramebufferSharedUserClient
QSCSITaskUserClientÇ
SRootDomainUserClient
#




Bgcs
Plinear-brightnessÇ
CggcsÇ
CrgcsÇ
Ecommit

√@G©AenöD.lockÇ
BRGBÇ
CGray
Eray2.2
HDisp.lockÇ
CsRGB
Bcs.

Vshm.notification_center
ECFPBS:Ä
]com.apple.AppleDatabaseChangedÇ
FAudioIOÄ
Bls.Ä
U/tmp/com.apple.csseed.
;

ECFPBS:Ä
]com.apple.AppleDatabaseChanged
Ω∑QNetworkInformationÇ
ODNSConfigurationÇ
Fconfigd
KUISMessagingÇ
KleepServicesÇ
LecurityServer
@i*

Add
@o§MhideventsystemÇ
Lkit.powerdxpc
@nLputmethodkit.æMsetxpcendpointÇ
ElaunchêAerÇ
Dagent
Mgetxpcendpoint
Hk.private
@t
C.mig
Jsm.uiserverÇ
telephonyutilities.callservicesdaemon.callcapabilitiesÇ
BccdéF.systemÇ

GailspindÇ
DrustdE.agentÇ

@cx@o
DntrolõDstripÇ
Lcenter.toggle
Are√
@l√DaunchüLerror-handlerÇ
Hservicesd
Wsuseractivitymanager.xpc
JappleeventsÇ
Osharedfilelistd.Hasync-migÇ
BmigÇ
Bxpc
Emedia.Svolumecontroller.xpcÇ
Crout¶Mingcontext.xpcÇ
Nediscoverer.xpc
GendpointIstream.xpcÇ
@p§Qlaybacksession.xpcÇ
Hicker.xpc
C.xpc
FlorsyncI.useragentÇ
@d
Gfprefsd.îDagentÇ
Edaemon
Qache_delete.publicÇ
FvmsServÇ
Ctkd.Ktoken-clientÇ
Jslot-client
@a
Dsleep
Asd
Dudio.IcoreaudiodÇ
HaudiohaldÇ
MAudioComponentóDPrefsÇ
HRegistrar
TSystemSoundServer-OSX
@pøCictdÇ
Pbs.fetch_servicesÇ
Jasteboard.1Ç
Kluginkit.pkd
CCoreÿNAuthentication.¨Dagenté
F.libxpc
Edaemon
F.libxpc
UServices.coreservicesd
@s@y:

PDirectoryService.†Ilibinfo_v1Ç
Lmembership_v1
Nopendirectoryd.¢BapiÇ
ImembershipÇ
Flibinfo
Rnotification_center
Mstats.analysis
Jncdefaultsd
Aec´DinitdÇ
DurityîDd.xpcÇ
E.pboxd
@d
Qtoreagent.storekitñN.receiptrenewalÇ

@pÎEindumpÇ
CeechPArbitrationServerÇ
@.@s®Oynthesis.consoleÇ
Npeechsynthesisd
Precognitionserver
Lharingd.nsxpc
@l

Dokupd
@sD.boxdÇ
Ad.UadvertisingidentifiersÇ
CopenäBurlÇ

DiconsÇ
@mîFodifydbÇ
Capdb
Bxpc
CespdÇ
@dÎKyld.closuredÇ
@i∑HagnosticdÇ
Wstributed_notifications@BUv3Ç
B1v3
Cock.EserverÇ
Ifullscreen
@b⁄Ksd.dirhelperÇ
BirdçE.tokenÇ

BackNupd.sandbox.xpcÇ
Xgroundtaskmanagementagent
@D€Ais∫ScRecording:registrarÇ
\kArbitration.diskarbitrationd
WataDetectorsSourceAccess
DocspdÇ
Bxpcæ@.µBsmdÇ
QloginitemregisterdÇ
Qactivity.unmanaged
@d
TWorkflowServiceRunnerÇ
EwindowûLserver.activeÇ
G_proxies
PVoiceOver.runningÇ
RUNCUserNotificationÇ
STrustEvaluationAgentÇ
@rùKtcreportingdÇ
Gevisiond
Hquicklookæ@.∏Hui.helperéF.activeÇ

NThumbnailsAgentÇ
Econfig

@PØOrogressReportingÇ
UowerManagement.control
@n∫Oetauth.user.authÇ
`otificationcenterui.widgetcontent
@m‚HidiserveräB.ioÇ

@eπMdiaremoted.xpcÇ
Htadata.mdDwriteÇ
@sF.legacyÇ

Jobileassetd
AKe≈dyboardServices.TextReplacementServiceÇ
VrberosHelper.LKDCHelper
^ImageCaptureExtension2.presenceÇ
DhelpdÇ
@FÊFSEventsÇ
Bont≤[Registry.FontRegistryUIAgentÇ
LObjectsServer
BileGProviderÇ
KCoordination
DfontsÇ
Mgpumemd.sourceÇ
Iusernoted.Ldaemon_clientÇ
Eclient



Lfprefsd.agent
QCFPasteboardClient
;
O.ServiceProvider


Dcupsd





Ccom.
@M£IobileAssetÇ
OultitouchSupport
BAppÆSleMultitouchTrackpadÇ
PKit.TextFavorites
@aöEirplayÇ
Jvfoundation
@cΩBmioÇ
BoreHanimationÇ
Dmediaë
Iio.support
Dvideo
QDictionaryServicesÇ
Kdriver.AppleπSBluetoothMultitouch.ñDmouseÇ
Gtrackpad
GHIDMouse
HHIToolboxÇ
MinputmethodkitÇ
MLaunchServicesÇ
Llookup.sharedÇ
@s⁄FecurityéF_commonÇ

Epeech.´Vsynthesis.general.prefsÇ
Jvoice.prefs
Iystemsound
TServicesMenu.ServicesÇ
QTelephonyUtilitiesÇ
NuniversalaccessÇ
QmediaaccessibilityÇ
Wpreferences.extensions.SûLervicesWithUIÇ
GhareMenu
Eopengl
Lnvidia.OpenGL
BpbsÇ
[kCFPreferencesAnyApplication

LervicesWithUI
SAppKit.TextFavorites


Bbin@/Ä

BbinÜ@/Ä

Ausp

Ctime@/Ä

Kpdf servicesÜ@/Ä

Linput methodsÜ@/Ä

DcompoùFsitionsÜ@/Ä

Dnents@/Ä

@aCudioÜ@/Ä

spplication scripts/com.apple.cryptotokenkit.pivtoken@/Ä

Ar/CsbinÜ@/Ä

Bbin@/Ä

HdeveloperÜ@/Ä

Glibrary/Kpdf servicesÜ@/Ä

application support/appstorecontent/com.apple.cryptotokenkit.pivtoken@/Ä



@/Ä

EcachesÜ@/Ä

JpreferencesÜ@/Ä

Rmanaged preferencesÜ@/Ä

Clogs@/Ä


°O@˙fi
)6=>?_)SandboxProfileDataValidationParametersKey_0SandboxProfileDataValidationRedirectablePathsKey_+SandboxProfileDataValidationEntitlementsKey_&SandboxProfileDataValidationVersionKey_.SandboxProfileDataValidationRedirectedPathsKey_2SandboxProfileDataValidationSnippetDictionariesKey‹ !"#$%&'(_sandbox_build_id_application_bundle_application_container_ application_addressbook_lock_dir_application_darwin_temp_dir_application_calendars_lock_dir_application_container_id_application_darwin_user_dirU_HOME_application_bundle_id_application_darwin_cache_dirU_USER_$B8D9E2EC-EB9C-4694-A895-D46C66CA8C35_J/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex_F/Users/USERNAME/Library/Containers/com.apple.CryptoTokenKit.pivtoken/Data_J/private/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/T/.AddressBookLocks_Z/private/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/T/com.apple.CryptoTokenKit.pivtoken_G/private/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/T/.CalendarLocks_!com.apple.CryptoTokenKit.pivtoken_Z/private/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/0/com.apple.CryptoTokenKit.pivtoken\/Users/USERNAME_!com.apple.CryptoTokenKit.pivtoken_Z/private/var/folders/3v/1vw69qk5609dwxnvvy5zxd440000gp/C/com.apple.CryptoTokenKit.pivtokenUUSERNAME¨*+,-./012345_/Users/USERNAME/Music_ /Users/USERNAME/Library/Preferences_/Users/USERNAME/Library/Mail_/Users/USERNAME/Desktop_/Users/USERNAME/Library_/Users/USERNAME/Library/Mail/V2_/Users/USERNAME/Library/Calendars_/Users/USERNAME/Downloads_/Users/USERNAME/Movies_/Users/USERNAME/Documents_/Users/USERNAME/Pictures_/Users/USERNAME/Library/Mail/V3”789::<_com .apple.security.app-sandbox_com.apple.security.smartcard_="" class="Apple-tab-span" com.apple.application-identifier="" span="" style="white-space: pre;">
_!com.apple.CryptoTokenKit.pivtoken†Ø@EHKNQTWZ]`cfilorux“ABCD_+AppSandboxProfileSnippetModificationDateKey_AppSandboxProfileSnippetPathKey3AøTÀòon.sb“ABFG3Aøåá˝Resources/framework.sb“ABUV3AøWøary/Frameworks/AudioToolbox.framework/Versions/A/Resources/framework.sb“ABab3AøFrk∆
b“AByz3Aø¿x≠YfiZZ,Z?ZTZlZèZ≠ZŒZÈ[[
[%[D[J[q[æ\\T\±\˚]]|]â]≠^

^^^2^U^q^à^ü^æ^fl^¯__'_?_^_e_Ü_•_»_…_ _Ó__Ò```:`\`e`ó`ú`•`“`◊`‡a2a7a@aòaùa¶b%b*b3b¨b±b∫c?cDcMc“c◊c‡dmdrd{d—d÷dfleHeMeVe∞eµeæff f)fyf~fáfÂfÍfÛgJgOgXgµg∫g√hh h)

© Copyright 2018, The Cyberculturalist

No comments: